LEADERS IN CYBERSECURITY
Esther Schagen-Van Luit
Senior Manager, Deloitte Netherlands
Esther Schagen-van Luit is the Chief Information Security Officer (CISO) of Deloitte Netherlands and Belgium, protecting 15,000 colleagues in the Green Dot family. In her role, Esther is ultimately responsible for continuously improving and setting the bar high for Deloitte’s information security and securing customer data. From 2015-2021 Esther worked in the Dutch Cyber Strategy Team, where she served Deloitte clients in the field of security architecture, risk assessments, governance and security talent. Next to her role as CISO, Esther is a keynote speaker in the field of information security, diversity and talent development in the industry. She is a role model dedicated to enthusing more girls and women about a career in the security sector. She is also an ambassador for diversity and inclusion and sustainability. She was selected as one of the Top 50 talents under 35 for 2023 in the Netherlands by Het Financieele Dagblad, the European newspaper of the year.
What does a typical day of work look like for you?
My typical day consists of a lot of emails and meetings due to requests for help or advice from colleagues around the world. The amount of context-switching I need to do in this role is incredible. And you never quite know when a critical vulnerability or security incident will arrive at your doorstep, requiring you to drop everything. My Dutch and Belgium teams and my fellow European CISOs are very important to me, so I find time to coach and support them in their career journeys. In summary, I problem-solve all day, often for problems I wasn’t even aware of the day before.
What aspects of your career journey have taken you by surprise?
When I switched from consulting to my internal position, I thought – it was still Deloitte. It’s still cybersecurity. How different can it be? I was unprepared for how this new role required a different skill set and the level of responsibility and ownership it brought. But I’ve learned as much in these last two years as a CISO as I have in my time as a consultant. I was surprised to see how much I was learning, despite being relatively late to the game.
Tell us about the cyber project you're most proud of working on in your career.
Although I’ve done many, I wouldn’t say there’s one particular project. After having had a consulting career in strategy, risk and architecture, I learned that my true passion is vulnerability management and incident response. The most beautiful thing is to see people from all walks of life come together to protect something we all care about, no matter the time of day or whether they have already had a long week. Things like Log4j and PrintNightmare are what you’d call Type 2 fun. At the moment, you think it’s terrible (unlike Type 1 fun), but it’s exhilarating afterwards.
How has public perception of cybersecurity changed over the course of your career, and how do you predict in the future?
I hope and think we’ve successfully showcased how cybersecurity is a great industry for people from all walks of life, regardless of gender, sexuality, race, neurodiversity, age, educational background and physical impairments. Getting those images and stories of people with different backgrounds out there has helped make the industry more inclusive and fun. My hope for the future is that we stop stigmatizing those organizations that have been breached. It can happen to all of us, regardless of all the money and effort we’ve put in. It is more constructive to offer support for recovery than go ambulance chasing. Treat others how you’d like to be treated.
Tell us about your first job (can be anything!) and one lesson you might have learned from it.
My first proper job was at a supermarket distribution center, where I was responsible for routing shipments to local stores on Saturdays while in college. I was one of the few women in a very male-dominated environment, handing out orders. My male co-workers were all very kind and respectful, which helped me not be afraid of the cybersecurity industry and assume the CISO role, leading in a male-dominant environment where many employees were older than me.
What’s one piece of advice you’d give your younger self about getting started in cyber?
No matter how much studying you do, impostor syndrome will never disappear. I originally studied economics and management, so I felt unprepared to switch to cybersecurity. I did my CISSP exam after my first week at Deloitte and followed up with CISA and CISM within half a year. After that, I still didn’t feel good enough since I didn’t have a diploma for it. So, I pursued an Executive Master in Cybersecurity degree alongside my work. It turns out you can become a CISO for one of the largest companies in the world and it still doesn’t go away. I had an NL partner tell me it’s healthy – impostor syndrome keeps you humble and pushing forward.
Tell us about a role model or mentor who has helped shape your career.
I always struggle to name a real-life person because everyone has beautiful traits and some that are less than our own. So, I’d like to come out of the gate with Pippi Longstocking. Her bravery and willingness to try something she hasn’t done before is something I aspire to be. If I don’t know how to do it, I can probably read up on it or ask others for advice. Most problems can be solved with common sense. And very important for women in security – we should not let ourselves be stopped by the notions that society still has about what women should be like and do, like Pippi.
A meeting gets canceled and you have a surprise 30 minute window of free time — how do you spend it?
The boring answer is that I am really glad to have those 30 minutes to answer some emails that can help solve people’s problems. Considering the number of requests, I must make choices about what I prioritize, so I am grateful for any opportunity to do more. As an introvert, having many meetings wears me out, so whenever I need to relax, I turn my music on loud and sing along. Also, I love a good cup of Japanese green tea!
What are the ways you stay grounded and take care of yourself?
This is difficult, but it’s amazing how far we can stretch as humans. I was shocked by the workload when I switched from consultant to CISO. Then I got used to it. Another big stretch was the addition of Belgium, where I effectively took on another full-time role. But I remember how much stress I experienced as a junior consultant. Regardless of how difficult and time-consuming your job is, our subjective perception of it causes stress. I stay grounded by ensuring my identity doesn’t entirely rely on my job. I have a wide range of hobbies and sports that I commit to with a passion that equals the amount of effort I put into my work.
When you think about your personal legacy as a leader, what do you hope people will remember?
I’d like to describe myself as kind, brave and honest. I care a lot about my people and realizing their full potential, even if it’s to my detriment. I have a very strong moral compass, and I believe people will always see me act in line with my principles and integrity. As a young female leader in a technical field, I’d like to believe I am breaking a lot of stereotypes which hopefully helps those around me strive to break stereotypes in their own way. I believe Deloitte is where you can always bring your best self to work. It’s just that sometimes you need someone to encourage you and show you that doing so is for the best.